On 12/27/2012 06:40 PM, Reindl Harald wrote:
Am 28.12.2012 00:24, schrieb Jan M. Dziewulski:
On 27/12/2012 23:17, Robert Moskowitz wrote:
hmmm. Thinking (really!) I should change it back and try https:/.../webmail and see if it works. If it does, I need to add a force redirect to the roundcube.conf. Thinking more, this is reasonable as this is how my current squirrelmail works.
But shouldn't people be accessing it via https anyway? I mean without the need for a redirection? Adding a redirection increases security issues (for your site) so I personally would not be keen to do that
My little bit of testing gives the user a bad experience if they use http://fqdn/webmail. The ajax error is so cryptic. I suppose with some digging I can find a way to get it to say, "use https:// like you were instructed!" instead. Until I do, I tend towrad a forced redirect to https.
As for security issues for my site? What, yet another DOS attack with TLS costs to any robo that hits on my webmail url?
My expertise is in designing security protocols, not impact of force using them. ;)
it does not if it is done right
<Directory "roundcube-dir"> php_admin_flag session.cookie_secure "1"
</Directory>
this makes sure that there will NEVER a client send the session cookie unencrypted, if you get a external security audit and do not use tis setting for https sites you will get warned by the auditor and if not he did not make his job!
Perhaps I am implementing this wrong on my server. My roundcubemail.conf has
<Directory /usr/share/roundcubemail/> Order Deny,Allow Allow from all
</Directory>
Am I suppose to put your <Directory "roundcube-dir"> ...
after this entry or the php_admin_flag in the one I have?
What do you use for force_https and use_https?